Enterprise security is often compared to a piece of candy: hard on the outside, soft on the inside. The problem with this model is that if your perimeter is breached, the damage can quickly spread from application to application.If, for example, your Web servers are allowed to \u201ctalk\u201d to your VoIP infrastructure, a worm affecting the Web servers can take down your phones. A potential solution to this problem is to partition your data center by application so that the security risk can be compartmentalized.But there are two problems with this approach. It can be very costly to deploy enough firewalls and other security appliances to partition the data center in such a fashion. Even more importantly, segmentation reduces flexibility. If you later decide that you want to integrate your telephony with your Web portal, allowing users to \u201cclick-and-dial\u201d from the Web, you would have to re-engineer your security infrastructure to reflect this new business goal. By segmenting your data center, you are essentially \u201cfreezing\u201d your current mix of applications by coupling them to a static security infrastructure. Locking your infrastructure based on your current business structure restricts your ability to innovate and react to changing business circumstances.Securing the data center using a static security infrastructure is in direct conflict to the goals of \u201con-demand\u201d computing, because your computing, storage and networking are virtualized, while your security infrastructure is based on static appliances. The solution to this conflict is to virtualize the security infrastructure so that you can change the security \u201clayout\u201d in software rather than having to rewire your data center.Security vendors are already implementing the vision of a virtualized security infrastructure. Inkra Networks is the pioneer in this field with a set of products that allow you to deploy firewalls, intrusion detection systems, VPN and load-balancing modules in a completely virtual \u201crack\u201d that can be \u201crewired\u201d using a software interface. This allows you to remotely apply a security policy that segments the Web servers from the VoIP infrastructure today, and remotely rewire the \u201cvirtual rack\u201d to converge the Web and VoIP tomorrow.In June, Cisco announced a virtual firewall module for the Catalyst 6500 platform that gives security administrators the ability to define \u201clogical\u201d firewalls between switching points. While Cisco\u2019s VPN and IDS modules are not currently virtualize-able in the same fashion as the firewall module, this would be a logical next step towards completely virtual security services on the Catalyst.Bottom Line: To respond to the emergence of the \u201cporous\u201d perimeter, data center managers must deploy security in-depth within the data center to protect applications from each other. To avoid throwing out the \u201con-demand\u201d baby with the security bath water, the data center strategy should focus on virtual \u201con-demand\u201d security instead of stand-alone security appliances.